Basic Computer Security/Malware/Spyware

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Combating Spyware[edit | edit source]

In this chapter you will get a good understanding of what computer spyware and adware are, what do they do, and how to fight back.

What is Spyware?[edit | edit source]

In simplest terms, spyware is a type of malware (malicious software) that watches what users do with their computer and sends this information to the creator (or occasionally a hacker) over the internet. Generally, different types of spyware collect different information about a user. Less harmful programs attempt to track what websites a user visits, sending this information to an advertisement agency. More malicious programs may try recording what a user types to intercept passwords or credit card numbers,sometimes referred to as keyloggers. Other spyware programs simply launch popups with advertisements. This type of malware may also be referred to as adware.

Originally, spyware just referred to malicious software (malware) that spied on (or monitored) the user, sending information back to its creator. More recently users have come to use the term spyware regarding any software that does any sort of spying to benefit a third party. This includes adware and keyloggers, amongst other types of malware that monitors the user or allows full or partial control of a computer system's operation to a remote user without the consent of the machine user (such as trojan horses and rootkits)

Unlike viruses and worms, spyware does not usually self-replicate. Spyware may exploit known weaknesses in computer security or be installed by free software (freeware), infecting computers for commercial gain. Spyware typically does this by displaying unsolicited pop-up advertisements (sometimes to goad the user into buying an anti-spyware product created by the same person(s) that made the spyware), theft of personal details (such as stealing usernames, passwords, and credit card numbers), monitoring of Web-browsing activity (for marketing purposes), or simply routing HTTP requests (requests to web-server(s) to GET a webpage so it can be viewed) to advertising sites.

Spyware is currently one of the major security threats to computers running Microsoft Windows OSs (Operating Systems). As Microsoft's internet browser, Internet Explorer, is closely tied in with the OS, when a security vulnerability is exploited through Internet Explorer, the operating system itself may be exploited. Microsoft often patch vulnerabilities in Windows (usually caused by a bug in Internet Explorer) because if unpatched it may "allow remote code execution". Due to the Microsoft Windows series of OSs being widely used, the vulnerabilities found in windows systems are often exploited as there is usually more chance of finding an unpatched system running Windows at random than finding, for example, an unpatched OS/2 system.

Fighting back[edit | edit source]

What is an anti-spyware program?[edit | edit source]

There are many different types of anti-spyware programs, each with their own strong points. The main purpose of an anti-spyware program is to detect and remove spyware as well as adware. Some programs that are not free, such as Ewido, have higher detection rates than their free counterparts, although a combination of free anti-spyware programs will do just as good a job. The main thing to be careful of when choosing anti-spyware programs are a class of programs known as rogue anti-spyware.

What is a rogue anti-spyware program?[edit | edit source]

Typically, a rogue spyware program is one that claims to be able to detect and delete spyware although is inadequate at doing so. This may simply be because it's definition files (usually shortened to defs) are not updated often enough. More suspicious ones may actually contain spyware themselves, sometimes attempting to persuade the user that buying the rogue product will completely eradicate all spyware threats. Probably the most-updated and accurate site listing rogue anti-spyware programs is Spyware Warrior's rogue list (http://www.spywarewarrior.com/rogue_anti-spyware.htm).

Do I need an anti-spyware program?[edit | edit source]

If you are running Microsoft Windows, the answer is most likely to be yes if you have internet access. This is because some internet browsers may allow bad code to execute on your machine infecting it with spyware, and some freeware programs - especially some p2p (peer-to-peer) programs. Unlike viruses, spyware is dangerous because it may send personal information over the internet to a remote user, rather than replicating and having a high payload.

Where can I get an anti-spyware program, and how much will it cost me?[edit | edit source]

As has already been mentioned, there are many anti-spyware programs on the market - including some rogue ones. If you are running Microsoft's Windows 2000, XP, Server 2003, or Vista operating systems you can download Microsoft's Windows Defender Beta 2 (currently free) from Microsoft's download page (http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en).

If an anti-spyware program doesn't work, is there an alternative?[edit | edit source]

The usual recommendation in removing spyware on Microsoft Windows is to update all the anti-spyware and anti-virus programs first, then disable system restore and reboot into safe mode.

  • To disable system restore, right-click My Computer and click on Properties. This should open up the System Properties window. Click on the System Restore tab, and check the Turn off system restore on all drives checkbox. Click on OK and you may be presented with a message box asking if you wish to restart your computer to apply the changes. Save any changes you have made in other programs, then click Yes or Restart Now.
  • Once your computer starts to reboot, start hitting the f8 button (about twice per second) until the Boot Options screen is displayed. Use the arrow keys on the keyboard to highlight Boot to safe mode and hit the Enter/Return key.

Once in safe mode run the programs one at a time, and delete / quarantine any detections. The majority of anti-spyware programs backup the objects deleted (usually by encrypting them) in case they are a False Positive (the program detected something which in fact did not need to be deleted).

After running all the programs, restart the computer normally (from the shutdown menu). It should automatically boot back into normal mode. Login and check that the existing problems are no longer present. Occasionally the anti-spyware programs are unable to detect or delete some spyware. In this case there are some anti-spyware forums with people that specialise in spyware removal. Experts in spyware removal forums normally ask for a HiJackThis Log. HiJackThis is a program that displays all the settings that spyware and hijackers (software that "hijacks" the internet browser, usually changing it's homepage and preventing it from being changed back) and is also able to save these settings in to a log file that can be uploaded or pasted to a website or forum.

See Also[edit | edit source]

  • Avoiding Keyloggers: A basic method for the entering of passwords in a keylogger hostile environement